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l~ H Abstract 

This paper presents experiments on common knowledge logic, conducted with the help of the proof 

CZ3 , assistant COQ. The main feature of common knowledge logic is the eponymous modality that says that 

a group of agents shares a knowledge about a certain proposition in a inductive way. This modality is 

specified by using a fixpoint approach. Furthermore, from these experiments, we discuss and compare the 

■ structure of theorems that can be proved in specific theories that use common knowledge logic. Those 

^ ' structures manifests the interplay between the theory (as implemented in the proof assistant Coq) and 

C* — the metatheory. 

-xf ■ 
t-H ■ 

1 Introduction 

<N ■ 

t-H ' In a previous paper [13j . I have presented an implementation of the common knowledge logic in COQ. There 

I have shown how this applies to prove mechanically popular (and less popular) puzzles as prolegomenon 
of other potential applications. In these experiments I have shown in particular that in the literature 
(mostly devoted to study model theory of common knowledge logic) some concepts of proof theory are not 
clearly brought out and statements made at the meta- level, i.e., in the meta-theory, are not sorted out from 
statements made at the level of the language, i.e., in the theory. In the deep embedding in a proof assistant 
(where the logic is fully implemented into the meta-language) the distinction between meta-theory and theory 
is made explicit, by construction. The proof assistant cannot accept ill-formed expressions and forces the 
user to specify the level of statements he makes, namely inside the theory or outside the theory. Thus the 
kind of implication or quantification or even statement, e.g., axiom or premise of a logical implication, has 
to be made precise. On the opposite, in the handwritten treatments of the puzzles, it is not clear whether 
a statement is made an axiom stated as such in the meta-theory or a proposition stated as the premise of a 
logical implication. This confusion is especially present in the literature on economic games 122, 8 . Using a 
quantification in the meta-theory vs a quantification in the theory can change dramatically the strength of 
a statement and its scope. 

In this paper, my approach is this of a proof theorist with inclination to experiments. My goal is 
twofold. First I present a new axiomatization of common knowledge logic (axiom FB and rule LFB). 
Second I discuss a specific problem of common knowledge logic, namely the dilemma between internalizing 
or externalizing implication. Here one needs some explanation. In a proof theoretic approach there are two 
kinds of implications: an internal implication (the implication of the object theory) written here ? =>? , and 
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Figure 1: The basic rules of epistemic logic: the system T 



the external implication (the implication of the meta-theory) written Here , I — means " is a theorem". 
This discussion about the two views of the same problem in common knowledge logic will be made first 
through examples and at this exploratory state no meta-theorem is proved. There are two approaches when 
solving a puzzle. In the first approach, a statement is made an axiom, say I — , this axiom leads to the 
proof of I — ip, proving the meta implication I n the second approach, one proves I — Cq() => tf>, where 

Cg is the common knowledge modality. From experiments, I have drawn the following statements. These 
two approaches seem to be equivalent and show the interplay between the theory and the meta-theory. An 
interesting meta-theorem could be to prove that equivalence (see Section EJ). I call external vs internal the 
equivalence of pzj^ with I — Cg() => ip. In this paper all the discussion is based on experiments made in the 
proof assistant COQ and the paper can be seen as the description of those experiments. I discovered in [5] that 
the correspondence between and I — Cq() =4> Caty) is known, but it is not the one I am looking for. In 
what follows, the typewriter font is for code taken from the COQ implementation. Most of the development in 



COQ is available on the WEB at http : //per so . ens-lyon. f r/pierre . lescanne/CDQ/ epistemic J.ogic . v8 
(see [13] or a presentation). The rest can be found in [217] . 



2 Presentation of common knowledge logic 
Historical facts 

The concept of common knowledge has been introduced by the philosopher Lewis [T5] and since is used in 
several context namely distributed systems |T2l [19] , artifical intelligence [17] and game theory [1] . 

Epistemic logic 

The basis of common knowledge logic is epistemic logic. In my experiments in COQ [4], epistemic logic is 
presented by a Hilbert-style system of rules and axioms. Since I use second order logic, I define only the 
(internal) implication and I derive the other connectors. There are only two rules namely MP, i.e., the 
Modus Ponens and KG also known as Knowledge Generalization and three axioms Taut, K and T. Actually 
Taut is an axiom scheme as it says that every classical tautology is a theorem in common knowledge logic. 
Such an approach requires a "deep embedding" (see anncx[A| . The main reason is that modal logic cannot be 
easily implemented with natural deduction without changing its basic philosophy (see annex [B]). Epistemic 
logic is based on modal logic and in this paper only the system T (see Figured]) is considered. Since there is 
much flexibility in the terminology, I decided to stick to the terminology of [Sj. Epistemic logic introduces 
one modality for each agent: it expresses that that agent "knows" the proposition that follows the modality. 
More specifically, if is a proposition, KiQ is the proposition modified by the modality Ki which means 
"Agent i knows ". In Figure [1] the statement I — k means that is a theorem in classical propositional logic 
(this time, K stands for the German adjective "klassisch" [9])- Knowing whether classical logic is relevant 
is a topics of research with Rene Vestergaard. 
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Figure 2: Shared knowledge 



Common knowledge logic 

Now let us suppose that we have a group G of agents. The knowledge of a fact can be shared by the 
group G, i. e., "each agent in G knows " . We write EqQ and the meaning of Eg is easily axiomatized by the 
equivalence given in Figure [2] which can also be seen as the definition of Eg', it is called shared knowledge. 

In common knowledge logic, there is another modality called common knowledge which is much stronger 
than shared knowledge. It is also associated with a group G of agents and is written Cq- Given , C G Q is 
the least solution of the equation 

x <^ AE G {x). 

"Least" should be taken w.r.t. the order induced by =$■. A proposition ip is less than a proposition p if 
p tp. As well known in the fixed point theory the least solution of the above equation is also the least 
solution of the inequation: 

x =>■ AE G {x). 

The axiomatization of Figure [3] characterizes CgQ by two properties. Together with the system T and the 
definition of Eg it forms the system CKc- It asserts two things. 

1. CgQ is a solution of the inequation x AEg(x), axiom FB, 

2. If p is another solution of the inequation, then p implies Gg(), which means that p is greater than 
C G Q). This is rule LFB. 

One can prove that Cg satisfies axioms and rules of T, where Ki is replaced by Cq even when G = 0. Thus 
we prove . 

K c T c KG r 

^(C G /\C G (^4>))^C G ^ ^C g ^ h-G G 

KGc stands for Common Knowledge Generalization. Notice that Tc and pz on one side and I — Cg => Cg 
and KGc on the other side form the two first instances of external vs internal. Actually one can prove more, 
namely that Cg satisfies axiom 4c, namely I — CgQ Cg{CgQ)- It is a variant for common knowledge 
logic of the axiom I — K%Q =^ Ki(KiQ) of epistemic logic known as Positive Introspection or 4k ■ The proof 
of 4c does not requires this of 4 /JJ 

Notice that the presentation of common knowledge given in Figure [3] is new. It is more robust than this 
of Fagin et al. [5] which itself formalizes this of Aumann [1] . Our axiomatization works even for an empty 
set of agents and this is crucial, as starting with an empty set of agents is the key of a recursive definition 
of E G and Cg] 



Two presentations of common knowledge logic 

This presentation should be compared with this given by Meyer and van der Hoek on page 46 of [18] (see 
Figured]). The system T U {A7, A8, A9, A10, i?3}, together with the definition of E G , is called TEC G . One 
notices that axioms (A7) and (A8) are just a splitting of axiom Fixpoint, i.e., one splits the conclusion 
AEg(CgQ). Axiom (A9) is axiom Kc mentioned above and (i?3) is KGc also mentioned above. As said, 
both (A9) and (i?3) can be proved as theorems in CKg- (-410) is more interesting and requires specific 
consideration. Figure [5] sketches a proof of (^410) as a theorem in CKg- Therefore CKg implies TECc- 

1 This seems to show that 4, which is a controverted axiom in general, should be stated more appropriately for the common 
knowledge of a group of agents rather than for the knowledge of an individual agent. 
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Figure 3: The rules for common knowledge 



(A7) 


Cg() 


=> 




(A8) 


Cg() 


=> 


Eg(CgO) 


(A9) 


C g ()AC g (^ V) 


=> 


c G ty) 


(A10) 


C G {=* E g Q) 


=> 


=>c g q 


(R3) 


Cg() 







Figure 4: Meyer and van der Hoek axioms TECg 



TECg implies CK G . 

Indeed axiom FB is an obvious consequence of TECg an d we prove that rule LFB is a consequence of TECg 



as follows. 



■ AE G {p) p^AE G (p) 



p^E G (p) p^ 

■ (R3) — (123) 



C G {p^E G (p))) ' C G (p=>)) 

(A10 + MP <A9 + MP 

P^C G ( P ) C G (p)^C G () 

(2 ransitivityoj 

P^C G {) 

(RIO) implies (A10). 

In the above proof, we should notice that instead of axiom (A10), we use rule 

C G (^ E G Q) 



Cg() 



(RIO) 



which is a direct consequence of (A10) by MP. By analogy with (A10), we call that rule (RIO). A closer 
look shows that we use the derived rule 

— — (mo') 

which is the above rule combined with (R3). See section Discussion below to understand why we are 
interested in that rule. Let us come back to (RIO) and let us call TEC G the system TU{A7, ^48, A9, RIO, R3}. 
Since we have a proof of CK G in TEC G and a proof of TECg, m particular of (A10), in CK G , we have an 
indirect proof of TECg m TEC G or, in short, of (RIO) implies (A10). Here is a direct proof. 
Let us state A = C G (=^ E G Q) in this proof. First, let us prove AA => C G (AA). 
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C G (^ E G Q) => (=> E G Q) (I7] 
Cg(^ BgO) =* -E G (C G (^ E G ())) {as} C G (^ Sg())A E G Q 

Cg(^ Bg())a =>■ £g(Cg(^- Bg()))aEgO 



C g (^Bg())A^ C g (^Bg())A => £ g (Cg(^ £g())a) 

Transitivity of 



C a (=>E a Q)/\ => AB G (C G (=> Bg())A) 
LFB 

C G (^ -Eg())A CoO 



G G (^ Sg()) C G () 



Figure 5: A proof of Meyer and van der Hoek's axiom (A10) 



C G (^ E g Q) =► (=> -BgO) | (A7) 



C g (^ -BgO) => £ g (C g O E ())) (A8) CgO BgQ)A => (=> B G ())A (=> B G ())A =>■ EgQ 



Aa^Bg(A) Co(=> B g ())A => B () 

Aa =4- -Eg (A A) 
(BIO) 

aa => Cg(Aa) 

The rest is easy. First, we notice that we have Cg {Ah) => Cg()- 

Ah -- 



C G {Ah =►) (i?3) 

(A9) + MP 



C G (AA) C G {) 



By transitivity of =>, we get Ah =4> CgO- But clearly ^4A => Cg() is equivalent to A Cg() which is 
C G (^ £ G ()) C G (), e.g., (A10). 

Discussion 



The equivalence between (A10) and {RIO') is a third instance of external vs internal. Indeed, we have shown 

IE 



that a proposition of the form I — C G {p) f/^ is equivalent to a rule of the form , — £ . 



3 The three wise men 

The first example we address is the well-known example of the three wise men. See |13) for a more detailed 
presentation. It is stated usually as follows ([5], Exercise 1.3): "There are three wise men. It is common 
knowledge that there are three red hats and two white hats. The king puts a hat on the head of each of the 
three wise men and asks them (sequentially) if they know the color of the hat on their head. The first wise 
man says that he does not know; the second wise man says that he does not know; then the third man says 
that he knows". Let us call the three wise persons Alice, Bob and Carol. Let us write white Alice for "Alice 
wears a white hat" and red Alice for 'Alice wears a red hat". The puzzle is based on a function which says 
whether an agent knows the color of her (his) hat: 

Definition Kh := fun i => (K i (white i)) V (K i (red i)). 

Clearly one has to prove that Kh Carol holds under some assumptions. To make clear theses assumptions, 
we define in addition a few propositions namely 

Definition Dne_hat := \-/(f un i:nat => white i I red i) . 
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which says that every agent wears a red hat or a white hat. If P is a predicate, \-/P is the logical quantifi- 
cation, i.e., the quantification in the theory not this in the meta-theory. 

Definition Two_white_hats := white Bob & white Carol ==> red Alice. 

which says that there are two white hats. Notice that this is stated in a weak form, indeed it is only when 
Bob and Carol wear white hats that one can deduce that Alice wears a red hat. Moreover there are three 
concepts which say that each agent sees the hat of the other agents and therefore knows the color of the hat. 

Definition K_Alice_white_Bob := white Bob ==> K Alice (white Bob). 
Definition K_Alice_white_Carol := white Carol ==> K Alice (white Carol). 
Definition K_Bob_white_Carol := white Carol ==> K Bob (white Carol). 

A first result 

In a first attempt [13] , the five above propositions were stated as axioms and I was able to prove: 

I- K Carol (K Bob (-. Kh Alice) & -. Kh Bob) 
==> K Carol (red Carol) . 

In COQ this would give a statement like 

I- One_hat & 

K_Alice_white_Bob & 

K_Alice_white_Carol & 

K_Bob_white_Carol & 

Two_white_hats -> 
I- K Carol (K Bob (-. Kh Alice) & -. Kh Bob) 
==> K Carol (red Carol) . 

where -> is the meta-implication, i.e., this of COQ and as usual [— says that proposition is a theorem. 

A second result 

In the second attempt one proves: 

I- K Carol (K Bob (One_hat & 

K_Bob_white_Carol & 
K_Alice_white_Bob & 
K_Alice_white_Carol & 
(K Alice Two_white_hats) & 
-i Kh Alice) & 
-i Kh Bob) 
==> Kh Carol. 

This tells exactly the amount of knowledge which Carol requires to deduce that she knows the color of her 
hat, actually red. Let us call Alice_Bob_Carol the group made of Alice, Bob and Carol. From the above 
statement, one derives the corollary: 

|- C Alice_Bob_Carol (Two_white_hats & 

One_hat & 

K_Bob_white_Carol & 
K_Alice_white_Bob & 
K_Alice_white_Carol) 
==> K Carol (K Bob (-. Kh Alice) & -. Kh Bob) ==> Kh Carol. 
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which is weaker. But if we state 

(p = Two_white_riats & 
One_hat & 

K_Bob_white_Carol & 
K_Alice_white_Bob & 
K_Alice_white_Carol 

and 

ip= K Carol (K Bob (-. Kh Alice) & -. Kh Bob) ==> Kb Carol 

we notice that we have exhibited a fourth instance of external vs internal since I — Cq() =>• ip and are 
equivalent. 

4 The muddy children 

This problem had many variants [161 [71 El IS] ■ It is a typical example of how a community of agents acquires 
knowledge. In its politically correct version [5]|18|, a group of children have mud on their head after playing 
during a birthday party. The kids do not know they have mud on their head. The father of the kid who 
organized the party asked the children to come around him in a circle for the kids to see each other and he 
tells them that there is at least one child who has mud on his face so that they clearly all hear him. Then 
Father asks the kids who have mud to step forward. He repeats this last sentence until all the kids step 
forward. 

Philosophers have been puzzled by the fact that the first sentence of Father namely "There is at least 
one child with mud on his face" is absolutely necessary. This fact is known by the children, but by doing so, 
Father makes it a common knowledge. In [13| . we have identified that the key lemma is 

Lemma Progress : 

forall n p : nat , 

I- C ([:n+l:]) (At_least (n+1) p) & 
E ([:n+l:]) (-i Exactly (n+1) p) 
==> C ([:n+l:]) (At_least (n+1) (p+D). 

In other words, if the fact that there is at least p muddy children is a common knowledge and all the children 
know that there is not exactly p muddy children, then the fact that there is at least p + 1 muddy children 
is a common knowledge. Together with the first statement of Father: 

Axiom First_Father_Statement : 

I- C ( [:nb_children:] ) (At_least n 1). 

we are able to prove after n steps C ( [:n:] ) (At_least n n) which means that the fact that there is at 
least n muddy children is common knowledge. This is the final result. Common knowledge is important here 
because one can "progress" in common knowledge and not in shared knowledge. Thus the first statement 
that provides a first common knowledge allows initialization. The proof of Progress relies on a statement 

Knowledge_Dif fusion : 
forall n p i : nat, 

I- E ([:n:]) (At_least n p) ==> 
E ([:n:]) (-> Exactly n p) ==> 
K i (E ([:n:]) (-i Exactly n p)). 

This statement is here to translate what children see after Father has asked the muddy ones to step forward 
and none did. They all know that there is at least p muddy children and they all know that there is not 
exactly p muddy children otherwise those with muddy face would have stepped forward, but now each one 
knows that all the others know that there is not exactly p muddy children. 
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Knowledge_Diffusion as an axiom 

In a first experiment, we made Knowledge_Dif fusion an axiom and we were able to prove Progress in its 
above form. 

Knowledge_Diffusion as a common knowledge 

In the second experiment, we consider that proposition Knowledge_Dif fusion should not be made an axiom, 
i.e., an immutable principle, but it should be made just a rule of a game upon everyone agrees. Therefore 
the rules of the game are common knowledge that everyone accepts; agreeing on these rules makes everyone 
to act and reason according to them, i.e., "rationally". In this version Progress becomes: 

Lemma Progress : 
forall n p : nat , 

I- C ( [:n+l:] ) (Knowledge .Diffusion) ==> 
(C ([:n+l:]) (At_least (n+1) p) k 
E ([:n+l:]) (-1 Exactly (n+1) p)) 
==> C ([:n+l:]) (At_least (n+1) (p+D). 

Discussion 



Again we show that we can change an statement of the form into a statement of the form 1 — C G () =>• ip. 



ip = C ([:n+l:]) (At_least (n+1) (p+D). 

This is a fifth instance of external vs internal. 

5 The equivalence between internal and external implication 



Fagin et al [5] in exercise 3.29 notice, with no reference, that pE; and I — C'g() => Cg(V0 are equivalent. One 
notice by T G , i.e., I — Cg{p) p, that this statement is stronger than external vs internal, which states 
the equivalence between and I — C*g() =>• ip. The proof of that result cannot be readily implemented in 
COQ in our current implementation of common knowledge logic since this requires a deeper embedding of 
the theory. In short, in order to mechanize that proof, one needs not only internalize the object implication, 
which we called internal implication, but also what we called the external implication, since a meta-proof 
of the equivalence requires an induction on the proof of fe, In a first step, one can prove in COQ that 
all the rules of common knowledge logic, namely MP, KG and LFB have their equivalent in the form 
\— C G Q C G (ip), namely: 



The first one is a variant, by the means of I — Cg(x A p) Cg(x) A Cg{p), of Kp or (A9). The second one 
is a basic result of common knowledge logic. The third theorem has no equivalent in the literature and has 
been proved in COQ for that purpose. Then we get the following interesting result: 



Here 



C ([:n+l:]) (At_least (n+1) p) & 
E ([:n+l:]) (-1 Exactly (n+1) p)) 



and 



h- C G (p =► AE G (p)) => C g (p => CgO) 



h Caiff) =► CgW 
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The back arrow is proved by induction of the length of the deduction I — -> I — tp. Therefore, one notices 
three levels of implications: the implication =4> in the theory, the implication ^| in the metatheory and the 
implication > in the meta-metatheory. From the above diagram one gets 

h C G (<p) => V> ► I- C G (cp) => C G {fl>) ■ 

Actually we have 

h c g (<p) => c G {i>) 

as follows 

h C G (y) g h- C G () =» £ g (CgQ) 

hC g ()^M£g(C g ()) 
LFB 

h C G (^) C G (V>) 

since I — Cg() =>■ Eg(CgQ) is a theorem of common knowledge logic. 

6 Conclusion 

On another hand, it is worth to mention the study on combining common knowledge logic and dynamic 
logic we have done with Jerome Puissegur Q3] . The dynamic logic is used to describe changes in the 
world, but those changes are purely epistemic (an idea we borrow from Baltag, Moss and Solecki [21 [2]). This 
means that they affect only knowledge of the agents and nothing else. The muddy children puzzle has been 
axiomatized in this framework and a proof of its results has been fully mechanized in COQ. We can draw 
already two lessons form those experiences. First when merging two modal logics it seems that internalizing 
common knowledge is more appropriate. In other words, an approach like I — Cg() =>■ "0 should be preferred 
to setting the axiom I — to prove I — ip, as one does not know which metatheory a specific statement belongs 
to: dynamic logic or common knowledge logic? Second a formalization of predicate logic, allows expressing 
easily arbitrary depth of shared logic according to the number of agents. More precisely, common knowledge 
is not a priori necessary in the muddy children example and just a specific number of imbricated shared 
knowledge modalities corresponding to the number of children. This fact was already noticed by authors [5]. 
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A Deep embedding 



A logic £, the object logic or the object theory, is said to be deeply embedded in another logic Ai, the 
meta-theory, or in a proof assistant if one considers the logic M. to be this of the proof assistant, if all the 
constituents of the logic C are made objects of the logic M. and all the connectors and the rules of C are 
defined inside the logic M.. This is opposed to shallow embedding where C and M may share connectors 
and rules. A shallow embedding is usually more concise, but in a deep embedding a clear distinction is made 
between the connectors of the object theory and those of the meta-theory. In a deep embedding the connector 
and the corresponding meta-connector can be somewhat connected, but they cannot match completely. For 
instance, it could happen that the meta-disjunctions of two propositions meta-implies the proposition made 
as the conjunction of the two propositions and not vice-versa, in a sense made precise in formalizing the 
object theory. 

Moreover not all the logics can be shallowly embedded. This is the case for common knowledge logic 
which cannot be formalized easily in a natural deduction framework (see next section). 

B Why an Hilbert approach? 

The reason why one cannot use a natural deduction of a sequent calculus approach is essentially due to the 
rule KG. If one accepts such a rule in natural deduction, one gets 

Ki[T)^Ki[) 

This requires to extend the operator K+ to contexts like T. If instead of Ki one uses a modality □, one says 
that □(r) is a "boxed context". Actually linear logic 10J is perhaps the archetypical modal logic and the 
equivalent of Ki is the modality of course written "!" . The equivalent of KG is a rule called also of course. 
Without that rule the proof net presentation is somewhat simple [11] . Its introduction requires a machinery 
of boxes which increases its complexity. 
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